10-11-2017, 08:55 AM
(This post was last modified: 10-11-2017, 10:09 AM by stuartiannaylor.)
Add shorewall
apt-get install shorewall
nano -w /etc/default/shorewall
Change
startup = 0 to startup = 1
Copy the example rules from
/usr/share/doc/shorewall/examples/two-interfaces/
cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/interfaces
cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall/masq
cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/policy
cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/rules
cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/zones
Here are the contents of mine and apart from rules with an additional DNS rule of loc to fw & webmin, ntp all are verbatum.
/etc/shorewall/interfaces
#
# Shorewall - Sample Interfaces File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth1 tcpflags,nosmurfs,routefilter,logmartians
/etc/shorewall/masq
#
# Shorewall - Sample Masq file for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-masq"
################################################################################################################
#INTERFACEEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
# GROUP DEST
eth0 192.168.0.0/16
/etc/shorewall/policy
#
# Shorewall - Sample Policy File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
#
# Shorewall - Sample Rules File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Invalid(DROP) net all tcp
# Don't allow connection pickup from the net
#
# Accept NTP connections from the firewall to the network
ACCEPT $FW net udp 123
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
#
# Accept DNS connections from the local network to the network
DNS(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#Webmin
ACCEPT loc $FW tcp 10000
/etc/shorewall/zones
#
# Shorewall - Sample Zones File for two-interface configuration.
# Copyright © 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
So you can now refresh your webmin page and you should automatically get a shorewall admin section.
IP6 is done by shorewall6 and its a duplicate just with IP addresses that twist my melon.
So before anyone says its just an apt-get install shorewall6 if you wish.
Currently we still have the iptables we originally setup but when you do start shorewall it will overwrite those rules with the shorewall setup.
When you stop shorewall it will revert back to a working but open router setup.
So its up to you but to run with shorewall only then firstly
systemctl enable shorewall
As to be honest I think its needed even if the docs I read never mentioned it.
If you want to take out the rules that we originally created and test shorewall only.
nano /etc/network/interfaces.d/eth1
auto eth1
iface eth1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
#post-up iptables-restore < /etc/iptables.up.rules
Comment out the post-up condition with a hash as above.
nano /etc/sysctl.conf
#net.ipv4.ip_forward=1
Again comment out ip_forward.
Click check firewall and if all is ok click apply configuration in webmin.
Then that is the next part done and we are a little more safe with ssh & webmin only available from the local network.
Nextstep is to install openvpn and only allow ssh & webmin on localhost and the only way you can connect is via a vpn.
Which is really how ssh & webmin should be run on any server in my books.
There is a lot of internet chatter about webmin being unsafe which seems to suggest running an admin console public means the software is unsafe.
It so paradoxical that we shall not go there and after the next step once we add the vpn subnet as the only access point to the settings of webmin and ssh dunno just don't get the arguments.
Who would run an web based admin console public??!
So all is good so far with the rockwall next step openvpn.
PS haven't got the functionality to put my rock public and port scan external but the above should find it locked from external access.
Anyone want to check please do.
apt-get install shorewall
nano -w /etc/default/shorewall
Change
startup = 0 to startup = 1
Copy the example rules from
/usr/share/doc/shorewall/examples/two-interfaces/
cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/interfaces
cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall/masq
cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/policy
cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/rules
cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/zones
Here are the contents of mine and apart from rules with an additional DNS rule of loc to fw & webmin, ntp all are verbatum.
/etc/shorewall/interfaces
#
# Shorewall - Sample Interfaces File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth1 tcpflags,nosmurfs,routefilter,logmartians
/etc/shorewall/masq
#
# Shorewall - Sample Masq file for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-masq"
################################################################################################################
#INTERFACEEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
# GROUP DEST
eth0 192.168.0.0/16
/etc/shorewall/policy
#
# Shorewall - Sample Policy File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
#
# Shorewall - Sample Rules File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Invalid(DROP) net all tcp
# Don't allow connection pickup from the net
#
# Accept NTP connections from the firewall to the network
ACCEPT $FW net udp 123
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
#
# Accept DNS connections from the local network to the network
DNS(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#Webmin
ACCEPT loc $FW tcp 10000
/etc/shorewall/zones
#
# Shorewall - Sample Zones File for two-interface configuration.
# Copyright © 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
So you can now refresh your webmin page and you should automatically get a shorewall admin section.
IP6 is done by shorewall6 and its a duplicate just with IP addresses that twist my melon.
So before anyone says its just an apt-get install shorewall6 if you wish.
Currently we still have the iptables we originally setup but when you do start shorewall it will overwrite those rules with the shorewall setup.
When you stop shorewall it will revert back to a working but open router setup.
So its up to you but to run with shorewall only then firstly
systemctl enable shorewall
As to be honest I think its needed even if the docs I read never mentioned it.
If you want to take out the rules that we originally created and test shorewall only.
nano /etc/network/interfaces.d/eth1
auto eth1
iface eth1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
#post-up iptables-restore < /etc/iptables.up.rules
Comment out the post-up condition with a hash as above.
nano /etc/sysctl.conf
#net.ipv4.ip_forward=1
Again comment out ip_forward.
Click check firewall and if all is ok click apply configuration in webmin.
Then that is the next part done and we are a little more safe with ssh & webmin only available from the local network.
Nextstep is to install openvpn and only allow ssh & webmin on localhost and the only way you can connect is via a vpn.
Which is really how ssh & webmin should be run on any server in my books.
There is a lot of internet chatter about webmin being unsafe which seems to suggest running an admin console public means the software is unsafe.
It so paradoxical that we shall not go there and after the next step once we add the vpn subnet as the only access point to the settings of webmin and ssh dunno just don't get the arguments.
Who would run an web based admin console public??!
So all is good so far with the rockwall next step openvpn.
PS haven't got the functionality to put my rock public and port scan external but the above should find it locked from external access.
Anyone want to check please do.